In article <m106lQl-0000V1C@sea.lucon.org>,hjl@lucon.org (H.J. Lu) writes:>> >> > from the remote site. For some reason, the response never comes.>> > Is that possible for the Linux gateway doesn't forward those bytes>> > sent to the remote site under certain conditions? What should I>> > look for?>> >> If the MTU of the two links is different you should look for outgoing>> frames through the router with no reply when the size of reply would be>> large. Thats a clear indication that the remote site has firewalls set up>> by overpaid underbrained morons from one of the many rich and clueless>> consulting firms who think blocking all icmp on a firewall is a valid>> thing to do.>>

> I am not sure if it is the case:

> 1. I can access the web site in question on the Linux router.> 2. Here is the slip interface on the router:

This explains it. Your other box is connected to an ethernet with MTU of 1500. Thus it sends a MSS option of 1500-X into the initial SYN of theTCP connection. Now the other server correctly sets its MSS to 1500-Xand sends packets with that size with the Dont-Fragment bit set for PMTU discovery. Once they reach the other end of your slip link they get droppedand the router sends back a ICMP frag-needed to tell the other box to lowerits pmtu - but because of the ICMP blocking firewalls set up by people thatwere so nicely described by Alan it never sees them. It does not happenfrom your router box, because there the first interface has a 576 MTU whichmeans that TCP only puts a small MSS option in the first SYN, and all packetsthat are exchanged are small and no pmtu discovery is needed.

One workaround: set the mtu on the gateway route you use on the other box(route add default gw ROUTER mss 576), then the MSS will contain small valuesfrom the beginning. It would be better to complain to the sites that don't work, because it is clearly a misconfiguration on their part. Another workaroundis to increase the sl0 MTU to 1500bytes.

-Andi

-To unsubscribe from this list: send the line "unsubscribe linux-kernel" inthe body of a message to majordomo@vger.rutgers.eduPlease read the FAQ at http://www.tux.org/lkml/